On Sat, Aug 21, 2010 at 6:18 PM, grarpamp <grarp...@gmail.com> wrote: > > > Nothing in the open source field can do so yet afaik. > > To do it, a shim needs to be coded and placed between the application and > Tor. > user <-> browser <-> [optional tool] <-> shim <-> tor:9050 > > The shim needs to listen on a proxy port (and or two configurable > ports (for http and https)) and connect out to the world (or tor) to a > proxy port (socks) (and or > two other ports (for http and https or whatever port the input protocol > used)). > > It would pass http unmodified. > It would break end to end https. If the destination site had an invalid > cert, > it would present an invalid self-generated one to the client. If the > destination > site had a valid cert, it would present a self-generated and self-signed > one to > the client (which had obviously included the shim's root as a trusted > cert), simply > to signify to the client as to validity. Identity would be available > from verbose > logging in the shim and via an http[s] port on the shim itself. > > It could furthermore 'tee' off two output ports from it's bottom and > receive > two input ports from it's top. These would be a more general hook into > 'optional toolchains' located in between the client and server side, > decoding and shuffling the data stream in and out to a toolset at that > point. > > It should have no 'censoring', caching or other features.. as that is what > the optional toolsets do best. > > Note that 'browser' could be anything that can speak http[s], not > just FF/MSIE. So 'plugins' are a non option. > > Very interesting idea. I am considering attempting this in an upcoming practicum term at school starting in January 2011.
I wonder if you could help me a bit further by providing a list of advantages this shim would/could provide. I can see it could provide some protection against ssl/ssh mitm attacks. It could better protect the "browser" (or other app) by moving some of the ssl/tls/cert logic out to an open source proxy of sorts. It could better protect users against ssl/tls/cert vulnerabilities in both open source and proprietary apps. But I confess to not being sufficiently capable yet on this issue, so any input by any other readers here would be greatly appreciated. -- Julie
